Security and Technology Policies Management
This is a Controlled Document
In line with GitLab’s regulatory obligations, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.Purpose
This policy is intended to establish requirements for the creation and management of security and technology related policies.
Scope
This policy applies to security and technology policies that fall within the scope of GitLab’s security compliance audits and assessments.
Roles & responsibilities:
| Role | Responsibility |
|---|---|
| Security Governance Team | Responsible for conducting annual controlled documents review and enforcing this policy |
| Security Assurance Management (Code Owners) | Responsible for approving changes to this policy |
Policy
Policy creation and requirements
All in-scope policies must be created as version controlled documents in GitLab.
All in-scope policies must be listed in the policies section of the CODEOWNERS file with appropriate stakeholders listed as codeowners.
At a minimum, all in-scope policies must include a purpose, scope, roles and responsibilities, and policy statements.
All policy statements for in-scope policies must be mapped to the appropriate GCF control(s).
Policy review and approval
All in-scope policies must be reviewed and approved by appropriate stakeholders prior to merging the initial MR to create the policy.
All in-scope policies must be reviewed and approved by appropriate stakeholders on at least an annual basis in coordination with the Controlled Document Procedure annual review.
Policy communication and training
New and updated policies must be communicated to relevant team members upon creation or material update.
Relevant in-scope policies must be acknowledged by team members during onboarding training and annually thereafter.
54fcc78d)
